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CLAIMS 

What is claimed is: 

1 1 . A network comprising: 

2 a plurality of network nodes; 

3 a plurality of routing devices to route network traffics between selected ones 

4 of said network nodes; and 

5 a director coupled to said routing devices to determine whether selected 

6 instances of source addresses of packets routed by said routing devices are spoof 

7 source addresses, based at least in part on one or more consistency measures. 

1 2. The network of claim 1 , wherein the director bases said determination on at 

2 least spatial distribution profiles of said source addresses, and in view of at least 

3 one reference source address spatial distribution profile. 

1 3. The network of claim 2, wherein said at least one reference source address 

2 spatial distribution profile comprises at least a selected one of an exemplary spatial 

3 distribution profile for a non-spoof source address in general, and a historical spatial 

4 distribution profile for a particular source address. 

1 4. The network of claim 1 , wherein the director bases said determination on at 

2 least destination source address range (DSAR) distribution profiles of said source 

3 addresses, and in view of at least one reference DSAR distribution profile. 
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1 5. The network of claim 4, wherein said at least one reference DSAR distribution 

2 profile comprises at least a selected one of an exemplary DSAR distribution profile 

3 for a non-spoof source address in general, and a historical DSAR distribution profile 

4 for a particular source address. 

1 6. The network of claim 1 , wherein the director bases said determination on at 

2 least migration distribution profiles of said source addresses, and in view of at least 

3 one reference migration distribution profile. 

1 7. The network of claim 6, wherein said at least one reference migration 

2 distribution profile comprises at least a selected one of an exemplary migration 

3 distribution profile for a non-spoof source address in general, and a historical 

4 migration distribution profile for a particular source address. 

1 8. The network of claim 1 , wherein the director bases said determination on at 

2 least timing distribution profiles of said source addresses, and in view of at least one 

3 reference source address timing distribution profile. 

1 9. The network of claim 8, wherein said at least one reference source address 

2 timing distribution profile comprises at least a selected one of an exemplary timing 

3 distribution profile for a non-spoof source address in general, and a historical timing 

4 distribution profile for a particular source address. 

1 1 0. The network of claim 1 , wherein the director is further equipped to determine 

2 whether filtering actions are to be taken to filter out packets with source addresses 
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3 having instances deemed to be spoof source addresses, and if filtering actions are 

4 to taken, where among said routing devices, said filtering actions are to be taken. 

1 11. The network of claim 1 0, wherein the director takes into consideration in 

2 making said where determination, where packets of non-spoof instances of a source 

3 address having instances deemed to be spoof source addresses are likely to be 

4 routed in said network. 

1 1 2. The network of claim 1 , wherein the director comprises a plurality of director 

2 devices cooperatively coupled to each other to jointly make said determination. 

1 1 3. The network of claim 1 , wherein the network further comprises a plurality of 

2 sensors, either integrally disposed in a subset of said routing devices or externally 

3 disposed and coupled to the subset of routing devices, to monitor and report on 

4 source addresses of packets routed through the subset of routing devices. 

1 14. The network of claim 13, wherein the sensors are further equipped to 

2 facilitate application of desired source address based filtering on packets being 

3 routed through selected ones of said subset of routing devices. 

1 15. A networking method comprising: 

2 receiving information associated with source addresses of packets being 

3 routed to and from a plurality of network nodes of a network; 

4 determining whether selected instances of said source addresses are spoof 

5 instances of said source addresses, based at least in part on one or more 

6 consistency measures; and 
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7 managing said network based at least in part on the results of said 

8 determination. 

1 16. The method of claim 15, wherein said determination is made based at least in 

2 part on spatial distribution profiles of said source addresses, and in view of at least 

3 one reference source address spatial distribution profile. 

1 17. The method of claim 16, wherein said determining comprises constructing 

2 said spatial distribution profiles of said source addresses. 

1 18. The method of claim 16, wherein said determining comprises determining 

2 whether each of the spatial distribution profiles of the source addresses is within a 

3 resemblance tolerance limit when compared to each of the at least one reference 

4 source address spatial distribution profile. 

1 19. The method of claim 1 6, wherein said at least one reference spatial 

2 distribution profile comprises at least a selected one of an exemplary spatial 

3 distribution profile for a non-spoof source address in general, and a historical spatial 

4 distribution profile for a particular source address. 

1 20. The method of claim 15, wherein said determination is made based at least in 

2 part on destination source address range (DSAR) distribution profiles of said source 

3 addresses, and in view of at least one reference DSAR distribution profile. 

1 21 . The method of claim 20, wherein said determining comprises constructing 

2 said DSAR distribution profiles of said source addresses. 
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1 22. The method of claim 20, wherein said determining comprises determining 

2 whether each of the DSAR distribution profiles of the source addresses is within a 

3 resemblance tolerance limit when compared to each of the at least one reference 

4 source address DSAR distribution profile. 

1 23. The method of claim 20, wherein said at least one reference DSAR 

2 distribution profile comprises at least a selected one of an exemplary DSAR 

3 distribution profile for a non-spoof source address in general, and a historical DSAR 

4 distribution profile for a particular source address. 

1 24. The method of claim 15, wherein said determination is made based at least in 

2 part on migration distribution profiles of said source addresses, and in view of at 

3 least one reference migration distribution profile. 

1 25. The method of claim 24, wherein said determining comprises constructing 

2 said migration distribution profiles of said source addresses. 

1 26. The method of claim 24, wherein said determining comprises determining 

2 whether each of the migration distribution profiles of the source addresses is within 

3 a resemblance tolerance limit when compared to each of the at least one reference 

4 source address migration distribution profile. 

1 27. The method of claim 24, wherein said at least one reference migration 

2 distribution profile comprises at least a selected one of an exemplary migration 
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3 distribution profile for a non-spoof source address in general, and a historical 

4 migration distribution profile for a particular source address. 

1 28. The method of claim 15, wherein said determination is made based on at 

2 least timing distribution profiles of said source addresses, and in view of at least one 

3 reference source address timing distribution profile. 

1 29. The method of claim 28, wherein said determining comprises constructing 

2 said timing distribution profiles of said source addresses. 

1 30. The method of claim 28, wherein said determining comprises determining 

2 whether each of the timing distribution profiles of the source addresses is within a 

3 resemblance tolerance limit when compared to each of the at least one reference 

4 source address timing distribution profile. 

1 31 . The method of claim 28, wherein said at least one reference timing 

2 distribution profile comprises at least a selected one of an exemplary timing 

3 distribution profile for a non-spoof source address in general, and a historical timing 

4 distribution profile for a particular source address. 

1 32. The method of claim 15, wherein said managing comprises determining 

2 whether filtering actions are to be taken in said network to filter out at least some 

3 packets having source addresses deemed to be having spoof instances, and if 

4 filtering actions are to be taken, where among a plurality of routing devices, said 

5 filtering actions are to be taken. 
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1 33. The method of claim 32, wherein said where determination comprises taking 

2 into consideration where packets of non-spoof instances of a source address having 

3 instances deemed to be spoof source addresses are likely to be routed in said 

4 network. 

1 34. An apparatus comprising: 

2 (a) a storage medium having stored therein a plurality of programming 

3 instructions designed to implement a director to receive reporting of information 

4 associated with source addresses of packets routed through a plurality of routing 

5 devices of a network, and to determine whether at least some instances of said 

6 source addresses are spoof instances; and 

7 (b) a processor coupled the storage medium to execute the programming 

8 instructions. 

1 35. The apparatus of claim 34, wherein said programming instructions are 

2 designed to make said determination based on at least spatial distribution profiles of 

3 said source addresses, and in view of at least one reference source address spatial 

4 distribution profile. 

1 36. The apparatus of claim 35, wherein said programming instructions are 

2 designed to be able to construct said spatial distribution profiles of said source 

3 addresses. 

1 37. The apparatus of claim 35, wherein said programming instructions are 

2 designed to be able to determine whether each of the spatial distribution profiles of 
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3 the source addresses is within a resemblance tolerance limit when compared to 

4 each of the at least one reference source address spatial distribution profile. 

1 38. The apparatus of claim 34, wherein said programming instructions are 

2 designed to make said determination based on at least destination source address 

3 range (DSAR) distribution profiles of said source addresses, and in view of at least 

4 one reference source address DSAR distribution profile. 

1 39. The apparatus of claim 38, wherein said programming instructions are 

2 designed to be able to construct said DSAR distribution profiles of said source 

3 addresses. 

1 40. The apparatus of claim 38, wherein said programming instructions are 

2 designed to be able to determine whether each of the DSAR distribution profiles of 

3 the source addresses is within a resemblance tolerance limit when compared to 

4 each of the at least one reference source address DSAR distribution profile. 

1 41 . The apparatus of claim 34, wherein said programming instructions are 

2 designed to make said determination based on at least migration distribution profiles 

3 of said source addresses, and in view of at least one reference source address 

4 migration distribution profile. 

1 42. The apparatus of claim 41 , wherein said programming instructions are 

2 designed to be able to construct said migration distribution profiles of said source 

3 addresses. 



Wetheralletal.- Network Traffic Regulation 31 Express Mail Label No: EL605310306US 

Including Consistency Based 
Detection and Filtering ... 



Attorney Docket Ref: 41007.F003 

1 43. The apparatus of claim 41 , wherein said programming instructions are 

2 designed to be able to determine whether each of the migration distribution profiles 

3 of the source addresses is within a resemblance tolerance limit when compared to 

4 each of the at least one reference source address migration distribution profile. 

1 44. The apparatus of claim 34, wherein said programming instructions are 

2 designed to make said determination based on at least timing distribution profiles of 

3 said source addresses, and in view of at least one reference source address timing 

4 distribution profile. 

1 45. The apparatus of claim 44, wherein said programming instructions are 

2 designed to be able to construct said timing distribution profiles of said source 

3 addresses. 

1 46. The apparatus of claim 44, wherein said programming instructions are 

2 designed to be able to determine whether each of the timing distribution profiles of 

3 the source addresses is within a resemblance tolerance limit when compared to 

4 each of the at least one reference source address timing distribution profile. 

1 47. The apparatus of claim 34, wherein said programming instructions are 

2 designed to be able to determine whether filtering actions are to be taken in said 

3 network to filter out at least some packets having source addresses deemed to be 

4 having spoof instances, and if filtering actions are to be taken, further determine 

5 where among a plurality of routing devices, said filtering actions are to be taken. 
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1 48. The apparatus of claim 47, wherein said programming instructions are 

2 designed to take into consideration where packets of non-spoof instances of a 

3 source address having instances deemed to be spoof source addresses are likely to 

4 be routed in said network, when making said where determination. 



1 
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